After diving deeper into security, I’ve come to asses that the threat modeling often discussed in the privacy community seems to be very bespoke and not formalized. After having created a formal threat model, I have not seen one here that really comes close. This isn’t to say the bespoke versions aren’t useful, but that criticisms of bespoke ones shouldn’t speak to the formal threat modeling practices. But if people are making threat models and haven’t heard of STRIDE, among other methodologies, and CIA, I would say the understand is high level.
Threat modeling is a single step to a wider process that is risk management. It’s to help manage expectations of remediation and mitigation, to help not waste time on unnecessary patches or ignore critical actions. We’ve only got so much time, might as well figure out what’s worth investing in instead of adding so much friction to our lives that isn’t necessary.